18 OCTOBER 2017 Consulting®In this way, cybersecurity concerns have el-evated vendor risk management activities to anew level while illustrating the extent to whichcybersecurity issues spill into seemingly everykey component of organizational strategy.Becker confirms that companies are askingconsulting firms to “create a holistic, comprehen-sive approach encompassing the overall businessstrategy with the cybersecurity strategy.” Beckeralso notes that consulting firms are increasinglyresponding to these needs with offerings that“help clients develop a comprehensive cyberse-curity strategy that reduces risk, creates aware-ness and develops plans for incident responseand business continuity in case of attack.”

Third- and fourth-party risk
requires attention

As more companies invest in cloud technology, more information assets are stored externally (via hosted solutions). As a result, greater
portions of organizational cybersecurity effectiveness rely on vendors’ security capabilities.
The growing use of digital collaboration also
gives network access to more external partners.
“Enterprises now have an expanding attack surface because of the vast number of third parties
that have some degree of access to their network and/or their data,” says Fuhrman.

These conditions and risks have client
companies asking for more assistance with
adapting their vendor risk management programs to the digital age.

Wheeler recalls a recent discussion with afinancial services company that centered on“fourth-party risk.” Some of the company’s largervendors use vendors that also manage the com-pany’s data. “Their concern centered on the small-er, fourth parties,” Wheeler says. “They wantedto get better visibility into whether those smallervendors are resilient to ransomware and able towithstand a DDos attack as well as the kinds ofthreats we’ve seen in the past 18 months.”Given the quickly changing nature of cyberthreats, that visibility into third- andfourth-party security risks has anincreasingly important timing compo-nent. A few years ago, VRM primarily con-sisted of manual activities: having vendors fillout questionnaires or self-assessments, and visit-ing the sites of a handful of key vendors. “Thosetypes of assessments are still happening,” saysDeloitte’s Mossburg, “but we’re also seeing moreorganizations trying to do some type of real-timemonitoring of their third parties.”

The skills shortage is real—and driving innovation.

Access to cybersecurity skills remains a major challenge for most companies. Most business rely on IT and many organizations are in
the process of digitizing their primary modes of
creating value, Deutscher points out, “but few
of them have the scale or the brand to attract
and retain top cyber security professionals.”
That raises tough questions in terms of which
aspects of cybersecurity companies should seek
to source with full-time employees and which
areas they should source to external partners.

Wheeler also describes talent as a top cybersecurity challenge moving forward. He also
reports that the skills shortage is nudging more
client companies to 1) look at how they can
consolidate the amount of security technologies
and vendors that they’re currently using; and 2)
deploy new methods (e.g., machine learning) to
“ automate and orchestrate” their responses to
security incidents and risks.

Skills shortages, constantly changing risks,
rapid technological change – many of the factors defining the current state of cybersecurity
consulting also ensure that the challenges companies face in securing their digital assets will
sustain for years, if not longer. As companies
increase their spending on cyber-related products and services, they likely will become much
more attuned to the degree to which those investments are securing valuable returns.